CVE-2024-47831

Denial of Service
Affects
Next.js
<=14.2.6
in
Next.js
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Next.js is a popular open-source React framework that simplifies the development of server-rendered, static, and dynamic web applications by providing built-in features like routing, code splitting, and API routes.

When image optimization is enabled, repeated access of an image could lead to excessive CPU consumption and denial of service. 

A Denial of Service (DoS) attack, as outlined by OWASP, is focused on making a resource (site, application, or server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses.

Details

Module Info

Product: Next.js

Affected packages: Next.js

Affected versions: <=14.2.6

GitHub Repo: https://github.com/vercel/next.js

Published packages: Next.js

Package manager: npm

Vulnerability Info

This medium-severity vulnerability is found in the main distribution of Next.js in versions lower than or equal to 14.2.6.

Addressing the Issue

Users of the affected components should apply one of the following mitigations:

  • Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.
  • Upgrade to a version of the framework that isn’t susceptible to the exploit.
  • Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this software.

Credit(s)

  • Brandon Dahler (brandondahler), AWS
  • Dimitrios Vlastaras

Vulnerability Details
ID
CVE-2024-47831
PROJECT Affected
Next.js
Versions Affected
<=14.2.6
Published date
October 14, 2024
≈ Fix date
October 14, 2024
Fixed in
Severity
High
Category
Denial of Service
Sign up for the latest vulnerability alerts fixed in
Next.js NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.